-
-
Notifications
You must be signed in to change notification settings - Fork 754
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve ProxyHeadersMiddleware #2231
Conversation
@Kludex - this is mostly done A few questions though: q1: I've noticed that in the README we state the project is 3.8+ though the pyproject.yaml is for 3.7+ Should we do anything about this?
Turns out I should have run
Nevermind fixed it myself. |
I believe this is ready for review @Kludex |
I don't see that... 🤔 |
@nhairs You are adding much more stuff on top of the previous PR. Can we do this step by step? The way I propose:
|
Ah never-mind, I suspect it's because of the original PR being so old and referencing the older code against the current website 🤦. |
Are you able to be more specific about what parts you're concerned about? If we exclude update related tests / docs, I think we are left with the following: A: supporting both IP version 4 and 6 (which is in the comments I left on the original PR). I don't think it makes sense to separate generic support versus v4 only support. The direct support of IP addresses instead of just networks is simply an optimisation / guard rail for users - strictly speaking you could remove the specialised handling code and the user experience would be the same. I chose to keep it because "justifying the PR" could be complicated when I could just keep it apart of the large changes occurring. B: Better Unix socket handling. Whilst I could pull this into a separate PR, I'd prefer to fix this at the same time. The current recommended solution of trusting everything could very easily introduce vulnerabilities to user's applications. I'd rather not tell users to aim a gun at their foot. C: There's some other miscellaneous fixes referenced in the original PR that could be fixed at the same time. Rather than introducing bugs that we'll either immediately replace with the refactor this PR does or immediately submit a PR for doesn't make sense to me. If you have a different view of "what the chunks are" I'm happy to discuss 🙂 Related to your question in #2237 perhaps we are looking some of this the wrong way - specifically trying to auto-magically support all proxy-header use cases from the command line. Perhaps it would be better to deprecate the command-line support (that is probably best described as a stop-gap measure) and instead provide a more fleshed out set of proxy middle-ware that user's can configure themselves before wrapping their application in it. If this were the case it's arguable that such "middleware" might be better abstracted into it's own package so that any ASGI compatible project can re-use the logic without needing to implement it itself (if there's one thing I've learnt looking into these headers its that properly handling them is non-trivial). Or even generic enough that it can provide ASGI, WSGI, or raw handlers. |
7b314cf
to
1b3eb6f
Compare
This is done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nhairs Would you mind rebasing it, and checking if the proxy_headers.py
file is fully covered by tests? I'll continue my review as soon as that is done.
I want to clean up the PRs we have here.
Co-authored-by: Marcelo Trylesinski <[email protected]>
@Kludex - master has been merged in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll finish the review in a few days. I'm a bit AFK those days.
Checklist for myself
- Check if tests makes sense, and think about the
make_*
utility functions (are they noisy or good?)
else: | ||
scope["scheme"] = x_forwarded_proto | ||
|
||
if x_forwarded_proto in {"http", "https", "ws", "wss"}: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need this conditional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To prevent garbage being passed through.
E.g. (from the tests) if you pass through X-forwarded-proto: asdf
it will be ignored.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, we know that the x-forwarded-proto
will assume those values anyway. Is this check saving us from something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is nothing to guarantee that it will not receive garbage.
Co-authored-by: Marcelo Trylesinski <[email protected]>
@Kludex - just making sure you got a notification that I updated this for requested changes. |
What is the status here? I am interested in this (or more precisely #2237) and am willing to help if needed. |
# Note: because we always convert invalid IP types to literals it | ||
# is not possible for the user to know they provided a malformed IP | ||
# type - this may lead to unexpected / difficult to debug behaviour. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. Any suggestions?
I'm not able to push to this branch, I'm not sure why. I have mainly nitpicks that I'd like to push. |
@nhairs Beautiful work. I think this is the best PR I've ever seen:
I'm sorry for the delay on the review here. I hope the delay on the review doesn't demotivate you to open more PRs here. 🙏 I have some docs fixes, typing improvements, and nitpicks that I'll address in #2468, since I can't push changes to this branch. |
Foreword
This PR is a continuation of #1611 building upon the existing work of @pypae
Summary
This PR addresses multiple issues mentioned in #1068 to improve the
ProxyHeadersMiddleware
.host
for requests from clients running on the proxy server itself. (The main issue)x-forwarded-for
headers. (Mentioned by @b0g3r)Checklist
_TrustedHost
test cases are adequate for testing that IPv6 is supported without also passing values through theProxyHeaderMiddleware
test cases as well.Test plan
Advanced testing using the following NGINX config which can be tweaked to test different combinations of proxies.